Relay Attacks and Distance Bounding Protocols in RFID Environments - PowerPoint PPT Presentation

Relay Attacks and Distance Bounding Protocols in RFID Environments Prof. Gildas Avoine Universit´ e catholique de Louvain, Belgium Information Security Group

SUMMARY RFID Background Relay Attacks Countermeasures and Evolved Frauds Protocols Analysis Framework Conclusion and Further Reading

RFID BACKGROUND RFID Background Relay Attacks Countermeasures and Evolved Frauds Protocols Analysis Framework Conclusion and Further Reading

Architecture Definition (RFID) [RFID] means the use of electromagnetic radiating waves or reactive field coupling in the radio frequency portion of the spectrum to communicate to or from a tag through a variety of modulation and encoding schemes to uniquely read the identity of a radio frequency tag or other data stored on it. T ag Reader T ag T ag T ag Back-end Reader kystem Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 4

Basic RFID Supply chain tracking. ◦ Track boxes, palettes, etc. www.aeroid.co.uk Libraries. ◦ Improve book borrowing and inventories. www.rfid-library.com Pet identification. ◦ Replace tattoos by electronic ones. ◦ ISO11784, ISO11785. www.flickr.com Localisation. ◦ Children in amusement parks, Elderly people. ◦ Counting cattle. www.safetzone.com Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 5

Evolved RFID Building access control. ◦ Eg. UCL, MIT. Credit: G. Avoine Automobile ignition key. Credit: G. Avoine ◦ Eg. TI DST, Keeloq. Public transportation. www.carthiefstoppers.com ◦ Eg. Brussels, Boston, Paris, ..., Thalys. Payment. ◦ Eg. Visa, Baja Beach Club. www.brusselnieuws.be Electronic documents. ◦ Eg. ePassports. Loyalty cards. blogs.e-rockford.com www.bajabeach.es Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 6

Tag Characteristics power frequency UHF active HF communication meters LF dm passive cm UID 1 KB 40 KB storage no pwd 10 cents sym crypto EPC asym crypto 50 cents ISO14443 euros calculation ISO15693 cost Logistics standard Access control Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 7

RELAY ATTACKS RFID Background Relay Attacks Countermeasures and Evolved Frauds Protocols Analysis Framework Conclusion and Further Reading

Variant of ISO 9798-2 Protocol 3 Verifier (secret k ) Prover (secret k ) N a Pick N a − − − − − − − − − → E k ( N a , N b ) ← − − − − − − − − Pick N b Protocol secure under common assumptions on E , k , N a , and N b . Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 9

Relay Attack Prover Verifier Adversary Adversary 10000 km Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 10

Relay Attack Definition and Do-Ability Definition (Relay Attack) A relay attack is a form of man-in-the-middle where the adversary manipulates the communication by only relaying the verbatim messages between two parties. Reader starts a timer when sending a message. ◦ To avoid semi-open connections. ◦ The timer is not tight. Example: ISO 14443 “Proximity Cards”. ◦ Used in most secure applications. ◦ Standard on the low-layers (physical, collision-avoidance). ◦ Default timer is around 5 ms. Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 11

Practicability Examples Radio link over 50 meters (G. Hancke 05). With some ACR122 (A. Laurie 09). With NFC cell phones or over Internet (libNFC). Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 12

COUNTERMEASURES AND EVOLVED FRAUDS RFID Background Relay Attacks Countermeasures and Evolved Frauds Protocols Analysis Framework Conclusion and Further Reading

Protocol Aims in General Framework Definition (Distance Checking) A distance bounding is a process whereby one party is assured: 1 Of the identity of a second party, 2 That the latter is present in the neighborhood of the verifying party, at some point in the protocol. Reader Tag Distance bounding does not avoid relay attacks. Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 14

No Fraud Reader Reader Tag Tag Adversary Adversary Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 15

Fraud Reader Reader Reader Adversary Adversary Tag Tag Reader Reader Adversary Adversary Tag Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 16

Measuring the Distance Global Positioning System (GPS). Received Signal Strength (RSS). Round Trip Time (RTT). Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 17

Distance Bounding Based on the Speed of Light Measure the round-trip-time (RTT) of a given message. ◦ Provide a bound on the distance. ◦ Idea introduced by Beth and Desmedt [Crypto90]. Reader Tag Message must be Accelerated authenticated computation Auth. is time-consuming Neighborhood Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 18

Simplified Hancke and Kuhn’s Protocol Description Reader Tag (secret K ) (secret K ) Pick a random N a N a − − − − − − − → � v 0 = 1 1 0 1 1 0 0 0 1 0 h ( K , N a ) = v 1 = 0 1 1 1 1 0 0 1 0 0 Start of fast bit exchange for i = 1 to n Pick C i ∈ R { 0 , 1 } C i Start Clock − − − − − − − → � v 0 i , if C i = 0 R i = v 1 i , if C i = 1 R i Stop Clock ← − − − − − − − Check: △ t i ≤ t max Check: correctness of R i End of fast bit exchange Question Adversary’s success probability (relay attack): 0. Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 19

Mafia Fraud Definition (Mafia Fraud) A mafia fraud is an attack where an adversary defeats a distance bounding protocol using a man-in-the-middle (MITM) between the reader and an honest tag located outside the neighborhood. Mafia fraud: Desmedt, Goutier, Bengio [Crypto87]. Shamir about Fiat-Shamir protocol [Crypto86]: “I can go to a Mafia-owned store a million successive times and they still will not be able to misrepresent themselves as me.” (The NY Times, February 17, 1987, James Gleick). A.k.a., relay attack, chess grandmaster, wormhole problem, passive man-in-the-middle, middleman attack... Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 20

Distance Fraud Definition (Distance Fraud) Given a distance bounding protocol, a distance fraud is an attack where a dishonest and lonely prover purports to be in the neighborhood of the verifier. Example Home confinement is a legal measure by which a person is confined by the authorities to his residence. With such a measure where travels are restricted, a distance attack is definitely relevant, in order to allow the person under monitoring to leave his residence without being detected. Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 21

Terrorist Fraud Definition (Terrorist Fraud) A terrorist fraud is an attack where an adversary defeats a distance bounding protocol using a man-in-the-middle (MITM) between the reader and a dishonest tag located outside of the neighborhood, such that the latter actively helps the adversary to maximize her attack success probability, without giving to her any advantage for future attacks. Example The terrorist attack also makes sense in the case of home confinement because the arrested person may benefit from the help of an accomplice who stays close to the monitoring system while the person under control is away. In such a case, a terrorist fraud is needed because the ankle bracelet cannot be removed except by the authorities. Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 22

PROTOCOLS RFID Background Relay Attacks Countermeasures and Evolved Frauds Protocols Analysis Framework Conclusion and Further Reading

Theoretical Protocols Brands and Chaum (Eurocrypt 1993) Hancke and Kuhn (SecureComm 2005) Munilla, Ortiz, and Peinado (RFIDsec 2006) Reid, Neito, Tang, and Senadji (ASIACCS 2007) Singel´ ee and Preneeld (ESAS 2007) Tu and Piramuthu (EURASIP RFID Technologie 2007) Munilla and Peinado (Wireless Com. and Mobile Comp. 2008) Kim, Avoine, Koeune, Standaert, and Pereira (ICISC 2008) Nikov and Vauclair (eprint 2008) Avoine and Tchamkerten (ISC 2009) Kim and Avoine (CANS 2009) Peris-Lopez, Hernandez-Castro, et al. (arXiv.org 2009) Avoine, Floerkemeier, and Martin (Indocrypt 2009) . . . Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 24

HANCKE AND KUHN’S PROTOCOL (2005)

Simplified Hancke and Kuhn’s Protocol Description Reader Tag (secret K ) (secret K ) Pick a random N a N a − − − − − − − → � v 0 = 1 1 0 1 1 0 0 0 1 0 h ( K , N a ) = v 1 = 0 1 1 1 1 0 0 1 0 0 Start of fast bit exchange for i = 1 to n Pick C i ∈ R { 0 , 1 } C i Start Clock − − − − − − − → � v 0 i , if C i = 0 R i = v 1 i , if C i = 1 R i Stop Clock ← − − − − − − − Check: △ t i ≤ t max Check: correctness of R i End of fast bit exchange Gildas Avoine Relay Attacks and Distance Bounding Protocols in RFID Environments 26